Open janpieterk opened 3 years ago
Thanks for reporting, @janpieterk. I'm going to call on some help from @ajnyga or @ctgraham. I think both of you run journals on custom domains. Are you able to reproduce this issue?
OJS 3.3.0.7 has the same problem, updated the issue to reflect this.
I wonder if https://github.com/pkp/pkp-lib/issues/4595 related?
Edit: oh, it seems it was already mentioned above...
I only have a setup for subdomains. I solved 4595 by hardcoding the domain to the cookie (session.cookie_domain
) and it fixed the problem described there.
I actually have not set base_url[index] at all in the config. I remember having problems with that setting back in 3.0 and it has remained empty since then in our case. I only have the individual journal base_url's set.
I have the same problem; I just upgraded to OJS 3.3.7, because of the error display, I restore backup ojs 3.2.1, but when setting "site-setting" in the administrator section I have to choose two languages, otherwise, it can't be saved
I actually have not set base_url[index] at all in the config. I remember having problems with that setting back in 3.0 and it has remained empty since then in our case. I only have the individual journal base_url's set.
Setting base_url[index]
was the solution for the "Administration" menu resulting in a 404 when trying to access it from the backend of a journal with a custom domain (note: not a subdomain, a separate domain).
Without base_url[index]
, "Administration" points to https://customdomain.tld/index/admin, which does not exist. With base_url[index]
, "Administration" points to the correct URL https://maindomain.tld/index/admin.
Yeah my installation is not helpful here since we only have subdomains and have not tested an upgrade to 3.3. yet
If it helps I can duplicate this bug right now in 3.3.0.10 with an installation we have. Let me know how I can help.
@jnugent At least it's helpful to know that this issue still exists in 3.3.0.10.
Still exists in 3.3.0.11
Still exists in 3.3.0.14
Still exists in 3.3.0.14
OJS installation (3.2.1.1 or 3.3.0.7) with the base_url set to maindomain.tld and journals both on maindomain.tld/path and customdomain.tld. Editing journal on domain customdomain.tld from central Administration menu does not work.
To Reproduce Steps to reproduce the behavior:
{"error":"form.csrfInvalid","errorMessage":"The form could not be submitted. You may have been logged out. Please reload the page and try again."}
Note that all CORS-headers are correctly sent! See Apache config below. There are no complaints about missing or duplicate Access-Control-Allow-Origin headers or the like.
I dived into the OJS code and found this in lib/pkp/classes/security/authorization/internal/ApiCsrfMiddleware.inc.php:
And this seems to be the source of the 403. It turns out that the HTTP_X_CSRF_TOKEN which is sent from maindomain.tld is different from the $session->getCSRFToken() which belongs to the login session of customdomain.tld.
This leads me to believe that using the Administration menu (which is always from maindomain.tld) will never work for journals which use a custom domain.
Does this look correct, or am I missing something?
What application are you using? OJS 3.2.1.1 OJS 3.3.0.7
Additional information
Configuration:
config.inc.php:
Apache configuration, maindomain.tld.conf:
Apache configuration, customdomain.tld.conf
Possibly related issues: https://github.com/pkp/pkp-lib/issues/5972 https://github.com/pkp/pkp-lib/issues/4595